Isolation without Containers

Explore software fault isolation (SFI) techniques in this conference talk from Strange Loop. Dive into the various implementations of SFI, including sandboxes, processes, containers, and virtual machines. Learn about the advantages and disadvantages of different SFI methods, with a focus on sandboxing compilers. Discover how machine code generation, optimization, trap handling, and memory sandboxing work together to create safe and efficient isolation. Gain insights into the challenges of implementing SFI for edge computing and IoT applications. Examine a real-world example of a compiler and sandbox designed for running thousands of concurrent sandboxes in server applications. Understand the importance of SFI in operating systems, browsers, and server software, and how it prevents errors in one program from affecting others.

Isolation without Containers
Multi-tenancy
Isolation?
Resource Isolation
Fault Detection, Isolation, and Recovery
Fault Domain
Processes
Virtual Memory
Dynamic Libraries
Higher-level Isolation
Control Flow
Memory Safety
Calling Convention
Trap Tables
Bounds Checking
Bounds Check Elision
Review